If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Need help gathering electronic evidence

Hello all,

I have an unique oportunity to actually learn and watch a cracker at work (without him/her suspecting a thing).

Here is the situation. My mom has an XP pro box that has Norton Personal Firewall and Norton AV on it. What happened is that she had someone work on her system (not me -- which was her first mistake... lol) ,and we think that he/she installed a spy program that allows remote access and works in stealth mode. The only reason I know this prog is on the system is I happened to stumble accross the log files (it takes a screenshot every 10 - 15 sec). I do not recall the exact program at the moment. If you need to know, pm me and i will get it for you tonight. Anyways, we do not have proof that he/she did it, but we want to get proof. I have created a ghost image of her system as i am going to redo her machine with a clean install of everything and a copy of all the other stuff that she needs. However, I want to gather forensic evidence of this person in action. I also want to prove that the perp is who i think it is. Any help with the following questions would be greatly appreciated.

1) Is it legal to set up a box on my network with this ghosted image for the sole purpose of catching this person in action?

2) Will this cause legal issues if my mom decides to press charges? (I know for a fact that the person in question has done this before... I caught him/her red handed)

3) If i set up this box on my router, is it best to put it in the DMZ?

4) What network sniffing prog (preferably free as im not rich by any means) would be best to use so that i can capture all traffic going to this box?

5) How do I record this log info in such a way that it is admissible in court if i need it?

6) I am pretty sure i know who the perp is and this one fact. (the suspected perp is using a static ip) So, once i find the ip of the person remote connecting to the box, how do i find out (legally) if that ip matches up with the suspect?

Just to reitterate, I am trying to gather electronic evidence against the perp that is admissible in court, however, due to my mom needing this box back for her work at home, I need to do a reinstall ASAP and there isnt time to let the box sit on my network for a couple weeks.

Thanks for all your help! -- Th3&gt;kLuTz

EDIT.......... It looks like the perp uninstalled the proggie, however, there are a meriad of open listening ports on port numbers 1000 and up....

M$ support is like shooting yourself in the left foot and then putting a band-aid on the right one.

Well you can at least get the guy fired from where ever he works, should be no leagal issue with seting up a honeypot type system wit hthe ghost image, then run some sort of packet sniffer between it and the world and see whats passing on the wire.

As for finding the IP...that is something for the courts to do, when you have soem evidence hand it over to the athorities (fbi handles this stuff now i think, use to be the scrate service..contact your local police or shariff they would know.) they can supena the users ISP and match the attacking IP to the user.

Definatly put the box on the DMZ as it would be a bad idea to have a compromised box inside your network.

As for penilties that would depend on your are prosecuter...but he will probably go to jail for a bit

I believe you said she had someone work on the computer(as in physically). If you can determine what program it is and find the software you can probably determine the date of the installation and compare that to the time this person worked on the computer. That should provide a little more evidence if you need it.

Thank you for your imput. I am checkinb this out...however, i need to really know what the best free sniffer is that i can use on the winxp box.. i have done a netstat -a -o command and found a bunch of listening ports with their pid's. Is there a way to find out what programs are listening on those ports? Any pid converters? Thanks

M$ support is like shooting yourself in the left foot and then putting a band-aid on the right one.

Depending on the prosecutor? She probably COULD press charges but dunno about jail time, lmao. Sadly, your mom willingly and knowingly let him access and work on the computer which means she gave him permission. Whether he visited a website while on it for fun, looked at pr0n, played a game, or installed an application is going to be irrelevant in court due to the fact permission was given for him to be on the computer. All he did was not follow one of her "computer rules" or whatever. However, the log files should have a path in it leading to the program or it's directory.

Ahh if you have netstated numerous times, try catching which IP he's working from. Resolve some IP's to host's, figure out which one's are website's/applications and then narrow down from there. Do some lookup's too as in pinging, do some monitering of which ports seem to be most active and how much activity, close them, etc. If you need more extensive help, PM me and I'll do my best.